b'                                          March 18, 2008\n\n\n\n\nMEMORANDUM TO:              Luis A. Reyes\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    MEMORANDUM REPORT: NRC\xe2\x80\x99S PLANNED\n                            CYBERSECURITY PROGRAM (OIG-08-A-06)\n\n\nAs part of the Office of the Inspector General\xe2\x80\x99s (OIG) audit of NRC\xe2\x80\x99s Oversight of\nLicensees\xe2\x80\x99 Nuclear Security Officers, OIG interviewed agency staff to determine\nhow upcoming changes to NRC\xe2\x80\x99s cybersecurity oversight processes might\nimpact the agency\xe2\x80\x99s physical security inspection program. Through this work,\nOIG identified an issue that could adversely affect NRC\xe2\x80\x99s oversight of licensees\xe2\x80\x99\ncybersecurity programs for nuclear power plants. In particular, although NRC is\nmaking progress in developing cybersecurity regulations and a corresponding\ninspection program, it lacks a clear plan for the inspection program.\n\nBACKGROUND\n\nCybersecurity refers to the branch of security that protects information\ntechnology (IT) infrastructure. IT infrastructure encompasses not only the public\ninternet, but also the less visible systems and connections of the Nation\xe2\x80\x99s critical\ninfrastructures, such as nuclear power plants and electric power distribution\ngrids. Cybersecurity is increasingly important to the nuclear power industry as\nplants upgrade from analogue to digital control systems, which are vulnerable to\nattacks by criminals and foreign governments. These cyber attacks can\ntemporarily disrupt computer networks, or more seriously, cause failure of public\nservices. According to the U.S. Central Intelligence Agency (CIA), for instance,\nextortionists recently penetrated computer systems of utility companies outside\nthe U.S. and caused power outages that affected multiple cities.\n\x0c                                                       Audit of NRC\xe2\x80\x99s Planned Cybersecurity Program\n\n\nIn response to the current threat environment, Federal government agencies are\ntaking programmatic and policy actions to strengthen public and private sector\ncybersecurity. The U.S. Department of Homeland Security (DHS), which is the\nfederal government\xe2\x80\x99s focal point for cybersecurity, disseminates threat\ninformation, and provides private industry with guidance and analytic tools to\nassess cybersecurity measures and mitigate vulnerabilities. The U.S.\nDepartment of Energy (DOE) conducts research and development, and develops\nplanning guidance, to help industries in the energy sector strengthen their\ndefenses against cyber threats. Most recently, the U.S. Federal Energy\nRegulatory Commission (FERC) issued new cybersecurity regulations in January\n2008 to give electric utilities a set of comprehensive standards for protecting the\npower transmission infrastructure against cyber attacks.1\n\nNRC began a rulemaking process in 2006 to address cybersecurity at nuclear\npower plants. This rulemaking will amend the Code of Federal Regulations\n(CFR)2 to incorporate elements of cybersecurity orders and guidance issued by\nNRC following the terrorism incidents of September 11, 2001.3 The proposed\nnew requirements would require that nuclear power plant licensees and license\napplicants implement a comprehensive cybersecurity program to ensure that\napplicable computer systems are protected from cyber attacks. NRC plans\ntentatively to oversee licensees\xe2\x80\x99 compliance with these regulations by adding\ncybersecurity inspections to the agency\xe2\x80\x99s baseline security inspection program.4\n\nISSUES FOR CONSIDERATION\n\nNRC is taking steps to develop cybersecurity regulations and a corresponding\ninspection program, but has not determined how it will conduct and support\ninspections. Without a clear implementation plan for cybersecurity inspections,\nNRC could face difficulties in overseeing licensees\xe2\x80\x99 cybersecurity programs,\nthereby increasing the risks to nuclear power plant security.\n\nSuccessful Implementation in 2010 Requires Advance Planning\n\nNRC aims to begin inspections of licensee cybersecurity programs as early as\ncalendar year 2010, following completion of the ongoing rulemaking and a grace-\nperiod for licensees to implement the new regulations. NRC\xe2\x80\x99s main objectives in\nestablishing new cybersecurity regulations are, in order of priority:\n\n\n\n1\n  18 CFR 40, \xe2\x80\x9cMandatory Reliability Standards for Critical Infrastructure Protection.\xe2\x80\x9d\n2\n  10 CFR 73.55, \xe2\x80\x9cRequirements for physical protection of licensed activities in nuclear power\nreactors against radiological sabotage.\xe2\x80\x9d\n3\n  EA-02-026, Interim Compensatory Measures; and EA-03-086, Design Basis Threat.\n4\n  Inspection Procedure (IP) 71130, \xe2\x80\x9cPhysical Protection.\xe2\x80\x9d\n\n\n\n                                                2\n\x0c                                                   Audit of NRC\xe2\x80\x99s Planned Cybersecurity Program\n\n\n    \xe2\x80\xa2   Maintaining safety and security;\n    \xe2\x80\xa2   Increasing public confidence;\n    \xe2\x80\xa2   Making NRC activities and decisions more effective, efficient, and realistic;\n    \xe2\x80\xa2   Reducing unnecessary regulatory burden on stakeholders.\n\nInternal NRC guidance recognizes that agency staff work most effectively when\nappropriately deployed and fully engaged in fulfilling the agency\xe2\x80\x99s mission. NRC\nsecurity inspectors are trained and experienced to carry out specific physical\nsecurity oversight tasks; cybersecurity, however, is a separate discipline\nrequiring unique training and subject matter expertise. NRC\xe2\x80\x99s FY 2009\nPerformance Budget acknowledges a need to focus on recruiting and retaining\nskilled personnel in these fields.5 In short, NRC has less than two years to\ndevelop an implementation plan, and recruit and train qualified staff.\n\nNRC Lacks Clear Plan for Cybersecurity Inspections\n\nNRC has not finalized a clear plan for implementation of a cybersecurity\ninspection program. New regulations governing nuclear power plant licensees\xe2\x80\x99\ncybersecurity programs are expected to take effect in calendar year 2010, and a\ncontractor has been tasked with writing inspection procedures. However, the\nagency has yet to resolve several issues that will impact implementation of the\ninspection program. In particular, agency management has not determined:\n\n            \xe2\x80\xa2   respective roles of agency staff and contractors in conducting\n                cybersecurity inspections;\n            \xe2\x80\xa2   staff requirements for cybersecurity inspections and headquarters\n                support, and;\n            \xe2\x80\xa2   resources needed for initial training of cybersecurity inspectors,\n                and for follow-on training to maintain technical proficiency.\n\nAgency plans acknowledge the need to recruit and retain personnel in\ncybersecurity, however, the agency\xe2\x80\x99s plans vis-\xc3\xa0-vis this objective are uncertain.\n\nInadequate Implementation Plan Could Compromise Physical and\nCybersecurity Inspection Programs\n\nThe absence of a clear plan could jeopardize implementation of a cybersecurity\ninspection program in calendar year 2010. OIG believes that NRC management\nshould carefully consider the implications of adding cybersecurity to the baseline\nsecurity inspection program. First, inspecting licensees\xe2\x80\x99 cybersecurity posture\n\n\n5\n U.S. Nuclear Regulatory Commission Performance Budget Fiscal Year 2009, p.131.\nhttp://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1100/v24/sr1100.pdf\n\n\n\n                                             3\n\x0c                                               Audit of NRC\xe2\x80\x99s Planned Cybersecurity Program\n\n\nrequires a highly-trained staff to inspect and evaluate cybersecurity\ninfrastructure. Several regional baseline security inspectors expressed concern\nthat they are not qualified to perform the cybersecurity inspections. Specifically,\ninspectors commented that their experience and training in physical security\ndoes not directly apply to cybersecurity. Furthermore, agency staff commented\nthat there are limits to which non-cybersecurity professionals can be trained for\ncybersecurity, which is a highly technical and dynamic field requiring continuous\ntraining.\n\nSecond, the added workload associated with the cybersecurity inspection module\ncould adversely affect security inspectors\xe2\x80\x99 efforts in other areas of physical\nsecurity oversight. Specifically, the time and effort spent by regional security\ninspectors on cybersecurity efforts could divert their attention from other physical\nsecurity inspection tasks.\n\nThird, without a clear implementation strategy for cybersecurity inspections, NRC\nmay lack sufficient qualified staff to oversee licensees\xe2\x80\x99 cybersecurity programs.\nWithout robust cybersecurity oversight, NRC faces increased risk that\ncyberattacks, human error, or technological failure could compromise IT systems\nthat are critical to nuclear power plant operations.\n\nRECOMMENDATION\n\nOIG recommends that the Executive Director for Operations:\n\n1.   Develop and implement plans for a cybersecurity oversight program that\n     captures skill set and workload requirements for cybersecurity inspections,\n     and targets resources to prepare for program implementation in calendar\n     year 2010.\n\nAGENCY COMMENTS\n\nDuring an exit conference on February 21, 2008, NRC officials agreed with the\nfinding and recommendation in the draft report. Clarifying comments on the draft\nreport were incorporated as appropriate. The agency opted not to submit formal\nwritten comments to this report.\n\nPlease provide information on actions taken or planned on the recommendation\nwithin 30 days of the date of this memorandum. Actions taken or planned are\nsubject to OIG follow-up, as stated in the attached instructions.\n\n\n\n\n                                         4\n\x0c                                              Audit of NRC\xe2\x80\x99s Planned Cybersecurity Program\nSCOPE AND METHODOLOGY\n\nThe OIG audit team reviewed relevant internal agency documents, such as\nNRC\xe2\x80\x99s inspection procedures, management guidance, budget plans, and\ncybersecurity policy development documents. The team also reviewed\ncybersecurity guidance developed and used by the nuclear industry to reinforce\nNRC guidance. To understand other Federal agencies\xe2\x80\x99 cybersecurity activities,\nthe team reviewed relevant documentation from the U.S. Federal Energy\nRegulatory Commission, as well as reports from U.S. Government Accountability\nOffice.\n\nAuditors interviewed headquarters staff in NSIR to learn their roles and\nresponsibilities as they pertain to the planned cybersecurity inspection program.\nAuditors also interviewed region-based physical security inspectors to obtain\ntheir views on cybersecurity and its relationship to NRC\xe2\x80\x99s physical security\noversight processes.\n\nThis work was conducted from January 2008 through February 2008, in\naccordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives. The work was conducted by: Beth Serepca, Team Leader;\nJudy Gordon, Audit Manager; Paul Rades, Senior Analyst; and Jaclyn Storch,\nManagement Analyst.\n\n\n\n\n                                        5\n\x0c'